I love making apps on replit and have made numerous apps now for my practice that I use internally. And also built apps directly for patients that they can access, from sleep tracking, anxiety alleviation, too many to list.
But one roadblock in scaling this for my whole patient census has been HIPAA compatibility. The agent is able to do SOC-2 Type 2 and also encryption, but I’m not sure if a BAA would be available from Replit for setting up something like that. Just throwing it out there as more and more physicians see the power in this, and this even opens the door to building apps that are ‘digital therapeutics’.
2 Likes
Very interested in this, as I’m also building apps for clinicians.
1 Like
Also very interested.
1 Like
@kody-replit any updates on this please? This keeps coming up with prospective customers.
Asked about this, we haven’t prioritized it and probably won’t for this year. Will put you down as requesting it with the other enterprises that have asked, but generally people have been able to use replit for the initial prototyping and connecting it to mock data during development then pushing to and deploying on their own infra which is hipaa compliant, we haven’t hit anyone so far who can’t even use replit for the prototyping step without the BAA, so haven’t moved it up the roadmap
4 Likes
Thanks for the response Kody. Yeah I had that thought also but it’s a little clunky and reduces the reliance on replit.
Very clunky, and aces Replit Agent out of further dev beyond prototype.
I built InsightscanAI (https://www.insightscanai.com) using replit. The agent and assistant I am just building tools and would not have an impact on compliance. Compliance is a difficult topic since different countries may have different compliance standards. But in general, compliance usually is relevant if you are a medical provider (which my website isn’t). My web app is not retaining any user data but just passing it over to the GenAI API using encryption. I am not sure if OpenAI is Hipaa compliant. My website asks users to refrain from uploading any PHI such as name/DOB/address, etc. I have also tried to build a DICOM to strip any PHI from the uploaded file as an additional safeguard, but based on my research, it does not 100%.
Yup. Top priority for me as well. Put me down for plus one in the I want this please.
This is exactly how I use Replit - to prototype apps that WILL be HIPAA compliant when they are rebuilt as features in our actual HIPAA compliant production environment. I’d never drop real PHI/PII in any part of Replit. Would be nice, but based on my experience with other HIPAA compliant versions of tools (HubSpot Enterprise w/ Data Protection) you get into having a Replit account manager, enterprise sales cycles, enterprise PRICING, etc.
2 Likes
Two separate questions - whether Replit as a company and platform are HIPAA compliant (Replit can control this) and whether the apps built and deployed via Agent are HIPAA compliant (Replit has close to zero control over this because it doesn’t have control over what data your app processes, how you use that data, your company’s documents, policies and compliance programme). Neither Replit nor any other vibecoding tool can “give” you HIPAA compliance for your app.
A better question is, are the components you’re using HIPAA. In most cases with Replit, by default, that would be Neon for DB. They are HIPAA, but you’ll need to get a BAA with them. That is the tricky part.
Also, I encourage you to verify that you’re required to be HIPAA compliant.
Often times people think that anytime someone talks about health with you, it has to be HIPAA. This is not the case.
Only if you are:
- Covered Entities: Organizations directly involved in healthcare or health plan services that transmit PHI electronically.
- Business Associates: Vendors, contractors, or third parties that perform services for covered entities and handle their PHI.
- Subcontractors: Entities hired by business associates that access or manage PHI.
Very well could be that you’re required to follow HIPAA. But, if you’re not attached to a covered entity or using your data in conjunction or under contract with, you may not need to worry and just need to follow best practices for encrypted data at rest, which you should do anyway.
What is your use case?
1 Like